TUCoPS :: Windows Apps :: n-142.txt

Microsoft Word Macros Vulnerability (CIAC N-142)


             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                      Microsoft Word Macros Vulnerability
                     [Microsoft Security Bulletin MS03-035]

September 3, 2003 20:00 GMT                                       Number N-142
______________________________________________________________________________
PROBLEM:       A vulnerability in Microsoft Word macros has been identified 
               where Word incorrectly checks properties in a modified document 
               which, under certain circumstances, can bypass the appropriate 
               macro security checks when the document is opened. 
SOFTWARE:      Microsoft Word 97 
               Microsoft Word 98 (J) 
               Microsoft Word 2000 
               Microsoft Word 2002 
               Microsoft Works Suite 2001 
               Microsoft Works Suite 2002 
               Microsoft Works Suite 2003 
               NOTE: This only affects Microsoft Word, and not other members 
                     of the Office product family. 
DAMAGE:        A malicious macro could be embedded in a document allowing it 
               to be executed automatically, regardless of the level at which 
               macro security is set. The macro could take any action that the 
               user has permissions to do, such as adding, changing, or 
               deleting files, or formatting the hard drive. 
SOLUTION:      Apply the appropriate Microsoft patch as described in their 
               bulletin. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. An attacker cannot force the document to be 
ASSESSMENT:    opened automatically. A user must open the malicious document 
               for the attacker to be successful. For malicious documents sent 
               through e-mail, a user must be enticed to open the attachment. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-142.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/default.asp?
                       url=/technet/security/bulletin/MS03-035.asp 
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS03-035 *****]

Microsoft Security Bulletin MS03-035  

Flaw in Microsoft Word Could Enable Macros to Run Automatically (827653)
Originally posted: September 03, 2003

Summary
Who should read this bulletin: Customers who are using Microsoft® Word 

Impact of vulnerability: Run macros without warning 

Maximum Severity Rating: Important 

Recommendation: Customers who are using affected versions of Microsoft Word 
should apply the security patch immediately. 

End User Bulletin:
An end user version of this bulletin is available at: 

http://www.microsoft.com/security/security_bulletins/ms03-035.asp. 

Affected Software: 
* Microsoft Word 97 
* Microsoft Word 98 (J) 
* Microsoft Word 2000 
* Microsoft Word 2002 
* Microsoft Works Suite 2001 
* Microsoft Works Suite 2002 
* Microsoft Works Suite 2003 

Technical details
Technical description: 

A macro is a series of commands and instructions that can be grouped together 
as a single command to accomplish a task automatically. Microsoft Word 
supports the use of macros to allow the automation of commonly performed 
tasks. Since macros are executable code it is possible to misuse them, so 
Microsoft Word has a security model designed to validate whether a macro 
should be allowed to execute depending on the level of macro security the 
user has chosen.

A vulnerability exists because it is possible for an attacker to craft a 
malicious document that will bypass the macro security model. If the document 
was opened, this flaw could allow a malicious macro embedded in the document 
to be executed automatically, regardless of the level at which macro security 
is set. The malicious macro could take the same actions that the user had 
permissions to carry out, such as adding, changing or deleting data or files, 
communicating with a web site or formatting the hard drive. 

The vulnerability could only be exploited by an attacker who persuaded a user 
to open a malicious document –there is no way for an attacker to force a 
malicious document to be opened.


Mitigating factors: 

* The user must open the malicious document for an attacker to be successful. 
  An attacker cannot force the document to be opened automatically. 
* The vulnerability cannot be exploited automatically through e-mail. A user 
  must open an attachment sent in e-mail for an e-mail borne attack to be 
  successful. 
* By default, Outlook 2002 block programmatic access to the Address Book. 
  In addition, Outlook 98 and 2000 block programmatic access to the Outlook 
  Address Book if the Outlook Email Security Update has been installed. 
  Customers who use any of these products would not be at risk of propagating 
  an e-mail borne attack that attempted to exploit this vulnerability. 
* The vulnerability only affects Microsoft Word – other members of the Office 
  product family are not affected. 
  
Severity Rating: Microsoft Word (all versions) Important 
Microsoft Works Suite (all versions) Important 

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0664 

Tested Versions:
Microsoft tested Microsoft Word 2002, Microsoft Word 2000, 
Microsoft Word 98(J), Microsoft Word 97, Microsoft Word X for Macintosh, 
Microsoft Word 2001 for Macintosh, Microsoft Word 98 for Macintosh, 
Microsoft Works Suite 2003, Microsoft Works Suite 2002 and Microsoft Works 
Suite 2001 to assess whether they are affected by this vulnerability. 
Previous versions are no longer supported and may or may not be affected by 
this vulnerability.


Patch availability
Download locations for this patch 

* Microsoft Word 2002:
  http://microsoft.com/downloads/details.aspx?FamilyId=7D3775FC-F424-4B04-ABEB
  -9B4CA1EB182D&displaylang=en

* Administrative update only:
  http://www.microsoft.com/office/ork/xp/journ/wrd1006a.htm 

* Microsoft Word 2000:
  http://microsoft.com/downloads/details.aspx?FamilyId=4A8F6ACE-E14E-4978-A9C9
  -6989CD03A4A3&displaylang=en
	   
* Administrative update only:
  http://www.microsoft.com/office/ork/xp/journ/wrd0903a.htm 

* Microsoft Word 97/Microsoft Word 98(J):
  Information on receiving Microsoft Word 97 & Microsoft Word 98(J) support 
  is available at: 
  http://support.microsoft.com/default.aspx?scid=kb;en-us;827647 

* Microsoft recommends users visit Office Update at http://www.office.
  microsoft.com/ProductUpdates/default.aspx to detect and install this 
  security patch and all other public updates to Office family products 
  (note: Office Update does not support Office 97 or Visio 2000). 

  
Additional information about this patch
Installation platforms: 

* The Word 2002 patch can be installed on systems that are running Word 2002 
  with Office XP Service Pack 2, and on systems that are running Microsoft 
  Works Suite 2003 or Microsoft Works Suite 2002. The administrative update 
  can also be installed on systems that are running Office XP Service Pack 1. 

* The Word 2000 patch can be installed on systems that are running Word 2000 
  with Office 2000 Service Pack 3 and Microsoft Works 2001. 
  
* For information about Microsoft Word 97 and Microsoft Word 98(J) support, 
  see the following the following Microsoft Knowledge Base article: 
  http://support.microsoft.com/default.aspx?scid=kb;en-us;827647 
  
Inclusion in future service packs:
The fix for this issue will be included in future service packs for the 
affected products. 

Reboot needed: No 

Patch can be uninstalled: No 

Superseded patches: None. 

Verifying patch installation: 

* Word 2002: Verify that the version number of WinWord.exe is 10.0.5522.0. 

* Word 2000: Verify that the version number of WinWord.exe is 9.00.00.7924. 

* Word 97 and Word 98(J): Information about checking Microsoft Word 97 and 
  Microsoft Word 98(J) is available in Microsoft Knowledge Base article 
  827647. 
  
* Works Suite 2002 and Works Suite 2003: Verify that the version number of 
  WinWord.exe is 10.0.5522.0. 

* Works Suite 2001: Verify that the version number of WinWord.exe is 
  9.00.00.7924. 

Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed 
in "Patch Availability". 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

* Security patches are available from the Microsoft Download Center, and can 
  be most easily found by doing a keyword search for "security_patch". 
* Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 

Acknowledgments
Microsoft thanks Jim Bassett of Practitioners Publishing Company for 
reporting this issue to us and working with us to protect customers. 

Support: 

* Microsoft Knowledge Base article 827653 discusses this issue. Knowledge 
  Base articles can be found on the Microsoft Online Support web site. 

* Technical support is available from Microsoft Product Support Services. 
  There is no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides 
additional information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, even 
if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply. 

Revisions: 

V1.0 (September 03, 2003): Bulletin Created. 

[***** End Microsoft Security Bulletin MS03-035 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corp.  for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-132: Red Hat  wu-ftpd Buffer Overflow Vulnerability
N-133: Blaster Worm (aka: W32.Blaster, MSBlast, Lovsan, Win32.Poza)
N-134: Sun cachefs Patches May Overwrite inetd.conf File
N-135: Microsoft Cumulative Patch for Internet Explorer 
N-136: Microsoft Unchecked Buffer in MDAC Function Vulnerability 
N-137: Red Hat Updated pam_smb packages fix remote buffer overflow
N-138: Red Hat Updated Sendmail packages fix vulnerability
N-139: Red Hat Updated SSL Certificate for access to 'up2date'
N-140: Sun Linux Vulnerability in VNC Package may allow local or remote unauthorized access
N-141: Timing based attack vulnerabilities in the JAVA Secure Socket Extension




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH